That discussion is fascinating just for how dramatically the tone on Google has shifted in the past 11 years. Top comment is a defense of Google, top reply to them is more concerned with US laws than with Google's voluntary behavior.
And this was after Steve Jobs started the war on Google and mentioned privacy as a concern during his era. It took the world 15 years and nearly 10 years after his death to understand this.
I remember asking people who supported Google before or after their IPO how they make money with your Data. No one cares. I remember pushing for Firefox instead of Chrome in 2009, no one cares. Not even on HN.
The sad thing is that those who stood up for privacy got bashed down for so many years and never received an apology. Those who defended Big Tech like Google is safe to use our data never apologised.
People do care, they are just sort of powerless to do anything.
Try the following exercises:
- try not to use google docs at work
- try to block google sites from your phone
- try to pay for things on the internet without accessing google/recaptcha/etc
it is both too big and too small of a problem for most people to deal with.
I know most technical people have done these sorts of things, but it is sort of like being your own sysadmin/security researcher. It's probably easier to run your own mail server in comparison.
I want to keep using Firefox, but the performance gap between it and Chrome keeps getting worse. My bank's online site takes upwards of 2 seconds to redraw in Firefox now when I scroll, whereas in Chrome scrolling is virtually instantaneous. Same thing with Google Streetview. PDF rendering in Firefox and Thunderbird takes upwards of 20 seconds to render the first page of common documents, while evince is a few hundred milliseconds. This is on my latop running recent Fedora. I'm still mostly using Firefox, but my patience is almost done.
I don't think it's fair to call that "performance gap", when for sure your bank never invested one second to even test, to say nothing of optimizing their site for Firefox. As for PDFs I never noticed that delay (sample size of one). Weird.
Gosh, if only there was a device vendor who didn’t do that, and offered the option for encrypted cloud backups and e2e encryption for all your inter-device traffic, and designed their privacy-sensitive services to work on anonymized tokens instead of device identifiers or user accounts…
… but apple sells ads too therefore every option is equally bad!
It’s funny to see people admit with the AI stuff that apple is getting it right, introducing privacy-protecting approaches and services, etc, yet refuse to admit that the same perspective and approaches have informed all their services for a long time. In the day to day, there is no legitimate debate that Apple Maps is vastly more privacy preserving than google maps, etc. People use some weird purity test where because App Store ads exist suddenly apple is the same as a literal adtech company.
> … but apple sells ads too therefore every option is equally bad!
Yes.
It also doesn't help that said device vendor has been trying to destroy computing freedom while sabotaging open standards left and right.
> It’s funny to see people admit with the AI stuff that apple is getting it right, introducing privacy-protecting approaches and services, etc, yet refuse to admit that the same perspective and approaches have informed all their services for a long time.
It's funny that different people on the Internet express different and sometimes conflicting opinions?
> Yes, I'm sure their CSAM was trained on publicly available data. They sell broken-by-design devices with decades old kernel for an exuberant price but people still fall for the stale "sEcUrItY" marketing pitch. Talk about naive.
and see, the problem is that people think this passes for a rebuttal, or even civilized discourse. You're literally the exact cliche that pops up in every discussion around privacy that I was referring to in my comment above.
It truly costs you nothing to have a little bit of civility and class. Most of us are here to discuss and not to meme about “le apple CSAM”.
I'm guessing that you're arguing about something that literally doesn't exist, to be honest. Endpoint CSAM scanning was never rolled out to consumer devices, it was a proposal from the EU (that popular savior!) that Apple successfully stalled and navigated until E2E was ready for rollout, upon which they said "lol no, that's stupid" and then the push fell apart.
Regardless though, complying with lawful authorities inside their jurisdictions is something that every corporation is gonna have to do... even in china. If the EU makes dumb decisions, it's not exactly Apple's fault. EU sovereignty cuts both ways, sometimes you get GDPR and sometimes you get mandatory nannyware. But since it didn't pass, I don't know why you'd bring it up as even an issue, let alone as being something caused by apple?
And again, to go back to the start, the fact that this vague "apple bad" argumentation is so routine and so tolerated is silly. You're mad about something that wasn't caused by apple and didn't actually happen anyway. It's vague tonal FUD and virtue-signaling to other people who are similar haters, and there's enough people who upvote/echo similar sentiments that it is self-sustaining. You can address the point without ducking out to random "but what about that one unrelated-to-apple bad-thing that almost happened that one time???" virtue-signaling points.
Just like they, and Microsoft, and many hardware manufacturers, also know every banking password/legal document/medical data in the world. Closed operating systems, applications, drivers, can all be used to exfiltrate data unbeknownst to users, including administrators. We're forced to give them some trust, otherwise the only choice would be to use only systems, software, hardware that is completely open down to the last bit, which sadly don't exist as a whole.
This sort of ideological take is lacking necessary nuance is and ultimately thought-terminating. There’s a difference between trust and concrete proof that something is happening, and there are degrees of both. Information security is somehow a justified field despite the fact that only a very small handful of shops own the full stack. It’s all about understanding and mitigating risk.
I don't disagree in principle but let's not conflate the trust required for proprietary software with the trust required for a service that is known to exfiltrate your data.
I may have read too much science fiction, but the mere fact that someone has full access to all my data worries me, if not because we don't know anything about which form of government we would have in, say, 10 years, and how easily a corrupt government could force those businesses to surrender that data in order to find their "enemies".
BTW, I don't live under a rock, I do online banking from the PC and have pretty much given up telling my lawyer and doctor not to use Whatsapp to send and receive sensitive documents, then keep them in their unencrypted phones, but that doesn't prevent me to be worried by how easy it has become to obtain personal data about someone for those who can.
I'm certainly not OK with that. I'm not OK with a router sending anything whatsoever off to a mystery server somewhere (sending data somewhere when the user overtly sets it up to do so is OK), and any router that does that is not fit for purpose in my view.
That said, I haven't considered Linksys routers to be fit for purpose at all for years now anyway.
I understand your concerns and feel exactly the same. But I think at a certain point you can only care so much and dedicate so much time to it. With a home network you can obfuscate so much with little know how, and further you ultimately are "aware" of all packets being sent via examining your own traffic.
The real problem is cars, IoT Devices. Do you drive a vehicle newer than model year ~2015? That thing is sending all kinds of telemetry to OEM manufacturer and their entire supply line of OEM suppliers. That data is firstly used to audit and evaluate functions in the vehicle for future iterations....but then that data is sold as many times as they can to research firms, advertisers, gov't planning boards etc.
Taking ownership of the vehicle is you signing away any investigation or litigation rights, or even access to those data/data systems.
I think THIS is where data privacy awareness needs to be pivoted to, Geolocating "iot" devices like vehicle CPU that no one, not even service techs can ever access.
> Do you drive a vehicle newer than model year ~2015?
No, I don't, for that exact reason. Some things are important enough for me to go to the effort to find a way to mitigate the security threat they pose. Other things, like relatively modern cars and IoT devices that I can't control, aren't important enough to do that. Instead, I just don't use them.
I applaud your dedication. 2015 is almost ten years ago, this ain’t work for ever and at some all used vehicles that are in a dependable condition will be 2015 or newer. What then, if telemetry can’t be disabled by the user?
I'm old enough that I seriously doubt the world will run out of suitable used cars within my lifetime. My current car is from 2005 and still runs like new.
But if that day comes, I'll figure out how to disable the radio. If that's not possible, then I'll stop owning a car.
Do you recognize the drastic changes the world would have to see to prevent a dedicated individual from driving what they want in any half-way liberal legal environment?
The US, for example, allows one to build a kit car totally by ones-self, and the waitlist for VIN certification is fairly short. If you want to shortcut the VIN certification you can build a car on a car that has at least 30% of the original frame in tact and piggy-back onto that VIN number with proper certification. If that frame is older than the mid 70s, go hog-wild; you can operate it with a coal engine if you want to.
If you're a 'dedicated individual' that is concerned with having a modern car that is engineered well for safety's sake, then go buy a kit from the hundreds of companies that do nothing but engineering work.
If you're afraid that there will be electrification mandates, no worries -- there are hundreds of startups focused on the conversion of existing ICEs into EVs.
What I'm trying to say : a world locked down to prevent all forms of vehicular autonomy is a lot different than the one we exist in today; it's not something easily predictable to assume when that will end, given the many different venues one can explore to express vehicular autonomy and individualistic choice.
Your GPS/radio head unit is likely not at all the one reporting data maliciously to OEM/Vendor integrators etc. GPS is an open standard at least until the US Military says "this is no longer open."
Auto OEMs as a rule have more "data points" for inference than any other hardware platform/software integration. IE; actions you take in the car and the info gleamed from those actions ar more valuable to marketers than data from your cell phone. None of this needs a gps signal, there are dozens of speed,time,weight,weather,delta, sensors..
Ford for example can brag that it, more than any other manufacturer on the planet, knows exactly how often you go to gas station X from location Y, if you get gas, and where you go after. They can tell where you look, how much you weigh, your common routine, even your contacts PID. You type of "personality" can be determined trivially (IE buying/travel habits).
Your vehicle is 100 percent complicent in building a marketing/safety profile for you.
Is this^ even "bad"? I think so. But I am not an expert and have yet to have an issue with it in my life.
> But I think at a certain point you can only care so much and dedicate so much time to it.
That is most likely what _Linksys_ did.
Please! Lets not just accept this poor state of security and somehow try to be apologetic for this issue. The BAR IS SO LOW .. Do not send unencrypted PII over the internet. And bonus points for not sharing someone's WiFi password with a third party. A third party in the US. We can probably assume that some three letter US government agency has intercepted all these requests.
The bar is really low. This is basic stuff. Zero need to be nice to Linksys.
>> Taking ownership of the vehicle is you signing away any investigation or litigation rights, or even access to those data/data systems.
I'm waiting for more of the post-2015 models to hit the secondary markets before the legal system sorts this out. When someone buys a used car for cash from a independent dealership, I seriously doubt they have sufficiently signed off on such data collection.
> With a home network you can obfuscate so much with little know how, and further you ultimately are "aware" of all packets being sent via examining your own traffic.
While I do still encourage people to do this as any security is better than no security, it is worth noting that you can entirely bypass things like a DNS block (i.e. pihole). For example, your browser probably does. Idk where it is in Chrome, but in Firefox you can go to Settings > Privacy & Security[0] and down at the bottom is "Enable DNS over HTTPS using:". Which, in general, I'd also encourage people to use. Cloudflare suggests this feature is available in Brace, Chrome, Edge, and Firefox[1]
So I'm saying there's an extra step to be aware of because if you rely on only DNS to perform the blocking, then it may not catch everything because there might just be a host file with the IPs manually specified. Which isn't unlikely.
I think the bigger problem is the complexity of all of this and how we're all being spied on unknowingly and in unexpected ways (you might know that you're being spied on in some ways but I'm willing to bet there's also ways you don't know). It's pervasive, invasive, and quite difficult to escape for even technologically adept people. And we shouldn't have a society where people are victims of things just because they do not have domain expertise in that subject matter. No one is a domain expert in all domains and it would be ludicrous to suggest one could be in even several of the critical ones.
Ethernet was added to the HDMI standard since version 1.4 and most cables today support that. If your TV is connected to an already networked box via a HDMI cable, chances are that it won't need a WiFi connection to go online.
Also, it could connect to an open WiFi without telling the user since it wouldn't need any input to enter credentials. It is becoming a lot harder to remain offline, at least with TVs.
Why wouldn't it? Apple has a whole network of devices that relay data from other devices. Its not like you can even check the software running on their products.
Because it's an extra expense to support it with basically no value. The reason to give a TV a network connection would be to use the applications built into the TV... ones that you don't need if you're using an Apple TV.
And hell, I can't even find any evidence that there's TVs that support HEC.
The value comes from the value of selling ads and knowing everything about the product. In this case the viewer. Value prop for building the ability to still have insight into your product is there. It captures all the people who think they are clever by not connecting through WiFi and not understanding that it can be done over HDMI.
Rumor has it that some devices will connect to other networks. I'm not sure this has been proven but it seems a bit hard to catch and it seems like a thing that could be done in the name of accessibility. I'd be interested if anyone has dumped firmware and looked to see if it does or doesn't happen.
Either way, not connecting your TV to wifi isn't an excuse for the behavior. Good for you, but that doesn't justify their actions or make anybody who is not up to date with what kind of spying happens any less of a victim. It shouldn't happen even if you are able to get around them. You should be able to use wifi AND not be spied on. Full stop.
I have seen it. I like to run an open wifi AP. The way I have it set up it sort of sucks, throttled about as low as I can get it, you could read HN on it but most websites are very unpleasant to use. Anyway, the point is, for the most part my only customer is my neighbors samsung tv sending some sort of click and navigation updates back to the mothership. Now I don't "know" that it wasn't attached to intentionally. but I suspect the tv was just happy to attach to anything it could find.
You ever think about asking your neighbor? Could also make an interesting blog post as I think there are a lot of people interested in this subject. It's also not that easy of a topic to Google. The results all focus on how to connect your TV to wifi rather than trying to find the specific issue. There's definitely HN interest in it
So you are knowingly helping Samsung spy on your neighbor. Have you thought about the ethics of what you are doing.
Anyway while I would not call the original accusation of the TV using any open WIFI automatically out of the question this experiment provides little evidence of that. It's hardly unthinkable that your neighbor or someone using their TV just clicked OK on some prompts to make them go away and thereby selecting the first network in the list. It's also not unthinkable that your neighbor wanted to use some functionality that requires an internet connection to setup and just didn't pay attention to the WIFI network selection.
I think Fire TVs may connect over Amazon Sidewalk to someone walking by your house. Samsung was caught sending screenshots of people's smart TVs, which could be being used as desktop monitors.
It’s called ACR, Samsung is very proud of it and sells it to whoever will buy it. They can tell what you’re watching even if it’s from a divx file on your SD card.
I suspect this is an internal sabotage from devs not agreeing with it - plaintext is easily observable and people can figure it out, causing a PR damage; encrypted passwords are basically untraceable.
Meanwhile, in reality, the offshore development firm being paid per line of code from Linksys farmed the work out to juniors who haven’t graduated and couldn’t care less if something is encrypted or not.
Sure, log your objection between the choice of Tailwind and Bootstrap. In professions more serious than software, people generally use their spines and say "no" when they see problems to the degree of passwords sent in the clear.
The most you can expect from PR damage like this is that maybe an update goes out faster that fixes the problem (or at least hides it better). Nobody is afraid of bad PR. The most hated companies in the US are also massively wealthy and successful. If people refused to by routers from companies that pulled shit like this, nobody could buy a router. You can enter pretty much any major brand of wireless router into google next to words like "hardcoded" "backdoor" and "plaintext" and get results going back decades.
Bold of you to assume that the development wasn't farmed out to the cheapest subcontractor in a developing country that doesn't even know how to spell IoT.
I regularly review PRs from developers with English as a first language with various spelling mistakes in variable names, code comments, commit messages, etc.
Not Wi-Fi routers, but I don’t see why those developers wouldn’t be able to slowly churn through Jira tickets for a router software.
> I suspect this is an internal sabotage from devs not agreeing with it
No, it's probably devs not even caring about it (or not caring enough to push back on deadlines). It's surprising what people will do if they aren't forced to do the right thing (passwords checked to version control, proprietary code pasted in Stackoverflow) and so on.
that's definitely the worst thing. There's nothing like being on my computer doing something, thinking "oh let me go update a setting or check some status on my router" then remembering "oh that's right, I bought Eero, let me go try to use the crappy iPhone app where I can't even multitask, instead of the full computer right in front of me."
This article goes on about the Man In The Middle vulnerability, but doesn't bother to explain why there is a Middle to begin with, or why Amazon gets to put a Man at the End!
Android needs a "Backup My Data to My Own Cloud/Device" option. Unfortunately that's gotten much harder to do over the years (as they've neutered the relevant API's).
Yeah. tbh we are lucky on the Apple side that itunes existed and had a backup facility (Presumably because WAN speeds were so slow for many people in 2007). You can bet if the iOS platform were created today, local backup would have never been a thing there either. "Just trust the cloud!"
Password managers are very different. The details get encrypted using a passphrase, and only the encrypted data gets sent to the password manager. You don't have to trust the backend unless the frontend is changed to send non-encrypted data and/or your passphrase.
I use KeepassXC and synchronize the encrypted database across my devices using my own Nextcloud instance. But even if I used a mainstream cloud provider, that wouldn't matter since the db is encrypted and decrypted locally.
Regarding trusting the frontend, in my case I just need to check that KeepassXC itself isn't sending data around. Which I admit I didn't do so far, but in my view the alternative of reusing password is much more likely to get you in trouble compared to the likelihood of KeepassXC sending your data to a tird party without anyone noticing.
Yes but, depending on how the ecosystem is built, the amount of trust needed can be smaller or greater. Reality isn't black or white, we also have shades and colors.
Of course. I'd just rather trust many people narrowly rather than trusting a few people with everything. And the people who can push updates to password manager front ends... we're trusting them with everything. It's a situation which calls for a bit of extra diligence.
You might consider 1Password. They don’t have the key so they effectively only see an all of the data in encrypted form, not even revealing the site, if I recall.
They have some fascinating papers about it, if I recall.
That's standard for all password managers IIRC. If they can get your into your vault without your master secret then it is a bad password manager.
What has happened to some password managers though is that they don't store the metadata encrypted (like username, website name, etc.) so that leaks have revealed which sites you use but I don't think any decent password manager has leaked passwords without a client being hacked, right?
>Just reading these comments - is everyone OK with them sending your password to a server, but not with the lack of encryption?
Take a poll and see how many iPhone users are here. Now realize the remainder are on some OEM Android! 50/50 I am the only one to reply to you running GrapheneOS. People WANT it to be this way, because any other way is too much work. It's how oligarchy arises!
I am not being hyperbolic, y'alls bitlocker codes are going to Microsoft soon if not already with 24H2.
Being into technology on a tech hacking [orange] subreddit does not put one into the same group as the tradecraft-savvy.
No, and all it does is prove, once again, that big tech companies cannot be trusted to sustain even common sense privacy concerns.
We need a privacy bill of rights. It’s time! The GDPR shows the way, and we can even improve on it with hindsight.
We’ll never get ahead of the data harvesting and exploitation of that data without it and all of this becomes quite an acute problem when we add low cost cognitive digital intelligences to the equation.
This is a big reason I despise the fact that so many ISP's just bundle routers into their modems.
At least with Comcast it seems like they have the ability to modify and (I assume) see this stuff in plain text. Who thought that was acceptable from a security standpoint I will never understand.
psword = use of this password confers in perpetuity, unlimited use of any and all google products and services with no cost or liability, as the owner of the password sees fit
> There’s no useful attack that can be waged against your devices with knowledge of your wifi password.
Famous last words.
> The idea that your LAN is a security boundary is out of date by decades.
I'm sure there are plenty of device and software vendors that haven't gotten the news. And exploits exist - no reason to carelessly discard a defensive layer just because it isn't 100% perfect.
Via the TR-69 mechanism, Verizon FiOS routers send your local wifi password to their central management system. The excuse I've heard for this is to "allow support agents to assist users who forgot their passwords"
The level of effort and obviousness of an email reset is nothing compared to helping someone figure out how to reconfigure every smart device ever made.
So it's a bad usecase for a password, then. Perhaps every router should ship with a preconfigured VLAN for shitty smart home stuff that is a lot more open, or maybe we should stop trying to stick internet into everything ever created.
Why should it be just the IoT devices that get the insecure network? Why not just stop trusting the LAN altogether and instead use technologies like HTTPS and DoH to ensure privacy on the important devices? That seems to be the way the tide is turning anyway.
Personally I'm all for that but people & packages seem to be pretty promiscuous about listen address defaults and assuming everything behind a routers NAT is trusted.
Treating the network as untrusted is good but as long as some people are paying for service, traffic and bandwidth there are reasons to not allow anything to use your network. And there is also a legal question of liability if someone is not quite above board from your IP.
Right, good point. There is of course the option to see saved wifi passwords on most devices... but I can see how an engineer decided to bypass all this bikeshedding and just send the damn password haha.
For Verizon owned routers? For company owned and supported equipment, I can understand it. I might not like it, but I can understand it. Especially if they are on the hook for support.
But, that’s why I run my own router for internet access. It’s my router and I can control what it does. If it goes down, then that’s on me. And I’m okay with that. Would I necessarily want the same setup for my parents? Probably not…
I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it." They do have that choice still, it must be some leftover regulation (from back when the US did that) in the case of cable companies, but I have zero problem with the ISP making those tradeoffs. The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.
Those who are security conscious enough to have concerns about their LAN security do not buy "internet + routers + desktop support as a service" by renting the endpoint equipment -- they buy just the internet connectivity and furnish equipment they can control and trust.
> I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it."
If you buy the equipment from Verizon, I will bet you a significant amount of money that it still sends your passwords to them [on edit: with exactly zero disclosure that's detectable to 99.99 percent of users]. In fact, I'll bet you Verizon treats customer-owned equipment exactly like rented equipment except in billing. But anyway.
> The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.
You park your car in bad neighborhoods. Had I not stolen your car, somebody else would have done it.
OK, I forgot we're talking about FiOS here. For sure that is slightly weirder than DOCSIS (which is all I've ever known personally). Since it's not really a standard like DOCSIS you probably "must have" some piece of Verizon-proprietary gear whether rented or otherwise and I'm sure Verizon remote-manages those in the same basic ways like you said. But I am pretty sure that still, security-conscious or advanced users can disable the Verizon device's WiFi and drop it into bridge mode and provide their own router and APs. To me this provides a way to opt out of this that is well within the capabilities of anyone sophisticated enough to understand the risks.
Not only. Probably all ISPs around the world who provides their customers a modem with an embedded (or not) WiFi router do the same.
EDIT: also, if your ISP has a mobile app from which you can change any password on ISP provided devices, then most likely it goes around in plain text (inside TCP/TLS packets, at least).
Every WiFi router I've ever owned, you hold the reset button for so many seconds to perform a hard reset, and the WiFi goes back to some default password. From there, you can login to the router and set a new password.
I thought WPS would have been the solution to the inconvenience of wifi passwords. If I were an ISP receiving too many support cases relating to the wifi password, perhaps WPS should be used more?
Sure, it’s what I do as a Verizon->Frontier->Ziply FiOS user. But most users are not going to go out and procur a bunch of Ubiquiti equipment or whatever, they’re going to take the defaults.
Also, with services like Xfinity, the monthly cost is substantially lower if you are using their router. This is because they scan the traffic for ad targeting, but most people don't care and don't want to buy their own router and then have to pay more per month to use it.
I thought it was more using their router, especially over time. They charge $15/month for the router/modem which doesn’t sound too bad, but is $180/year on a device that retails for $180 or so. And they’ll happily keep charging that, forever - long past when their costs and a reasonable profit have been made.
They also force you to share your cable/wifi connection with other Xfinity users who are near you.
Buying your own router and modem is a much better deal.
I've never been offered a better deal with Comcast/Xfinity for using their modems or hardware. Renting their stuff is $10/mo and a modem is $100, last I bought something like 5 years ago now, for a higher end one that supports gigabit service.
So, $100 or pay $10/mo forever, and over the past 5 years that $10 would be $600, or $500 saved by buying my own modem.
I use my own modem and router with XFinity, and I don't pay any more for doing it. In fact, I pay a little bit less because I'm not paying the monthly equipment rental fee.
That is, as long as I stay on top of it. Every 3 months like clockwork, they "forget" that I'm not renting their equipment and start billing me for it. I have to call them up and remind them.
Most of the CPE from various ISPs I've seen are barely powered enough to keep track of enough NAT connections. They're handing out devices capable of DPI on 100mb/s+ connections now?
This must be new. It's been about 8 years since I've had Xfinity but I always had my own modem and router and got a discount (i.e. didn't have to "rent" the modem).
Iirc it was something small like $5 or $15 a month... I really only did it for the better hardware and software.
This was earlier in the year, we had started hitting the monthly data caps on our plan and getting penalized.
I went in and the unlimited plan was about $15 less per month using their modem/router than my own (which I already had), plus the router was free (I'm not paying a monthly equipment "rental" fee).
One annoyance was that their router didn't allow spaces in the WiFi password, so I had to reconfigure all my devices.
I could set up the router in bridge mode where it acts like a dumb modem and continue to use my own router, but I have not bothered with that.
Honestly it would never even occur to me to call my ISP to help if I'd forgotten my wifi password.
Also I feel like if you are concerned about forgetting your wifi password you'd probably just keep the one that's written on the device (and which is probably quite a bit more secure than the password you'd come up with yourself).
Xfinity these days will have the tech set up your WiFi with your password. It's an integrated device so he'll set up the cable internet and then your WiFi. Monkeybrains is all "you're set up!" and then you add your own WiFi router. Sonic has you set up your own WiFi. AT&T has the WiFi password printed on the device along with the admin password.
That's my experience with ISPs in SF. It's clear that many people don't buy Internet access. They buy "WiFi" which is that Xfinity integrated service. The components don't matter.
I'm certain that nearly most, if not all users on hacker news have a pretty solid mental model of the basics of how internet connection works, and the responsibilities between the computer or device, wifi, home router, ISP, and internet web sites or other services.
But I've assisted people who's mental model is simply "Verizon put this box in my home and now I have internet". Who panic when a site doesn't load, and will call the first person they think is responsible for the problem. (typically, the company that gave them internet). Or more commonly nowadays, "my phone is my internet connection" -- and the only thing they think they have the power to do is to wave the phone in the air to find 'more bars'.
I suppose it makes sense from Verizon's (or any ISPs) perspective, and honesty, if you understand how all this works, then you understand how to trivially eliminate the issue, and then of course, you know when and when not to call Verizon with problems. (Of course, it'd be awful nice if they offered 'Shibboleet' [1] service for folks who do undertsand when the problem is between the site and the router.) HOWEVER, it'd be nice if they were more upfront with the disclosure of this password sharing ...
I’ve really disliked the change in the router industry where the routers have become ‘smart devices’ instead of reliable local networking hardware. This has turned into the same abuse of customers we see from others. For example TP Link uses the same dark patterns in their routers as companies like Roku, where they make updates to the terms of service and force you to accept it in a pop up if you want to use the app. And the app is the ONLY way to access most of the router configuration features, as compared to the old method where routers would let you navigate to a password protected website to configure them. So if you don’t accept the new terms, you can’t control your router that you were able to control all this time. Additionally their app constantly pushes trials of their useless and unwanted services through nudges within the app like red circular badges next to menu items and user interface elements. It wouldn’t surprise me if their terms also let them abuse my privacy and security in the same way as Linksys.
But who else do we go to? Every company is doing this. Maybe they just cannot survive without it. It’s probably why we need regulation here (consequences for security breaches, limitations on terms of service abuse, etc).
Is this actually plaintext, or is this plaintext-inside-HTTPS? The article and source material don’t say.
It’s pretty normal for passwords to be “plaintext” inside an HTTPS request. That’s how practically every login to a web app works. If it’s not HTTPS, there’s a whole slew of other issues along with putting a plaintext password in the request.
If it is HTTPS, then the issue really is just that the password gets sent anywhere rather than staying local. This is a lot more debatable as a practice, but unfortunately is also common for a lot of routers to support their cloud/app management functionalities.
> is also common for a lot of routers to support their cloud/app management functionalities
Why does the cloud need to know the wifi password to support mgmt functionalities? The only reasons I can think of right now are for more "automatic" setup of a second unit for meshing or if you want a factory reset to have the same password. Both of those cases have better solutions.
If it's for setting a new password I don't see why they need the old one, if it's for remote management access using the wifi password as the access credential then that seems both bad (access to my network should not mean access to manage it) and like it can be done a lot better if actually needed (send just a well salted and hashed password).
This appears to be a cloud password first stetup feature. As in you type your new password into the app, the app sends your password to a cloud API, and then the cloud API instructs the router to change to the new password over a management API.
So the password is sent for a specific feature that legitimately wants it.
You could have the app connect to a special WiFi network and then communicate directly with an API exposed by the router. That's what my router does. But the experience of using a special-purpose WiFi network is janky on many common devices so I understand not taking that choice.
> But the experience of using a speical-purpose WiFi network is janky on many common devices so I understand not taking that choice.
Yea, this is my hunch as well as to why this works this way. Consumers are easily confused, and asking them to disconnect from their currently working internet connect and connect to a router that hasn’t yet been set up (and might not be able to provide an internet connection) can get confusing. I know I’ve been in this situation before where I’ve been connected to a special-purpose network without internet connect, need to look up some instructions online, but then remember I can’t because I’m not connected to the internet…
> and might not be able to provide an internet connection
But this router has to have an internet connection for this flow to work, right? Otherwise how can the router get the password from the cloud service?
What is needed is the device-to-router connection to work securely but by sending the wifi credentials plaintext that is not secure, so not sure what is won here.
The router itself has an internet connection but that doesn’t necessarily mean that all of the other stuff required to actually route traffic or connect other devices is configured (like DHCP).
It’d be possible to have some sane defaults in there to make it work, but I wouldn’t count on them to be 100% out in the field of who-knows-what-crazy-settings-this-consumer-has.
> sending the wifi credentials plaintext that is not secure
If the connection between the app, router, and cloud server are all HTTPS, then it’s probably more secure to do it that way than it would be to send it over an unconfigured, insecure WiFi network (which typically uses HTTP or unsigned certificates for the management interface).
it occurs to me now that the whole recent stuff that Apple has been pushing, where apps are banned from making HTTP requests (HTTPS only) may have been the impetus for this. Their "setup app" can't connect to http:// 192.168.1.1/ (or if if can, does so only after popping up dire warnings in scare dialogs) -- but it can connect to the "cloud" server so just send it up to the cloud and back down the WAN port. I can see how they arrived here. Still this is why "apps" suck for this purpose, but I bet they moved to apps for because there are probably plenty of households without a working computer, who need wi-fi for their phones and Rokus, and this proved to be the friendliest way to do it.
Even if all that is true why would you not use a temporary password to then directly set the real password? It seems to me like they have not treated the password as an actual secret in this transaction.
Couldn't they then use a random password for the setup process and switch to the selected one when app and the router have connected? I'm pretty sure both android and iOS have APIs for apps to connect to wifi networks.
I'm just trying to ask: What is the scenario where the best (in both security and user-friendliness) solution is to send the wifi password in plaintext?
That API was introduced in Android 10. That's currently supported by only around 60% of Android devices globally and that number would have been lower when they decided how to implement this project.
My phone did have that API, and I subjectively still found the experience janky. But that's just my opinion.
You could send the password through the cloud server pre-hashed, or even better the cloud server could be used to establish an end-to-end encrypted connection from the app to the router.
If they intercepted it, then one must assume it was truly plaintext. Because if they were able to get access to the private key for Linksys's server certificate, that would be even bigger news.
I'm impressed a consumer test organisation has the technical expertise to detect this. You don't find this by using it as a consumer would. They had to do the effort to hunt for security bugs to notice this.
I really wish wifi router OEMs would use OpenWRT. They could skin it (ala gli.net) if they wish, but at least use it. It's open. It works. You can still differentiate your product by making it have MOAR ANTENNAS! and continue to add up all the speed numbers to make it look REALLY FAST!!!!
That and Apple should bring back AirPorts. They were easy to set up, performed well, had some advanced features, and got security updates for many years.
Two years ago or so, my office mate and I pulled out an old AirPort Extreme when our Fritz!Box broke. Not only did it still work very well, it was still pretty competitive as an 802.11ac router.
Or if they're worried about GPL stuff from Linux, there's also OpnSense, which works fine and I think is well respected.
I'm nerdy enough to have built my own router with OpnSense a few years ago, and it worked like a champ. The only reason I stopped was there was an issue with BSD and a specific Broadcom 10Gbe card that I couldn't work around, so I ended up hacking something together with ClearOS and eventually NixOS.
Yeah, I'm hesitant to share any of my configs directly since I might have done something wrong and I want at least a very cursory "security by obscurity".
That's a perfectly valid position to have IMO. Same reason I post only parts of my config publicly, the rest is hidden in a flake hosted on a private forge.
A whole bunch of GLI.NET devices use SOCs, where Linux mainline kernel support was never upstreamed. So buying GLI.NET is not a surefire way to obtain Hardware, that's runs 'Proper OpenWrt', you still have to check the HCL, or better/up2date, the list of DTS files in the current git master of openwrt.
It's just not the upstream OpenWRT. Instead, it would be an ancient version of OpenWRT with an ancient Linux kernel (hint hint).
Guessed why? Yeah, the same story as Android. Hardware vendors (those actually designing wireless chips, like Qualcomm and Mediatek) based their official SDK on an ancient version of OpenWRT and piled on tons of non-upstream-able patches to implement drivers.
This isn't limited to their Velop line. While converting my EA7500 to openWRT, I noticed this exact same information being sent as it tried to force me to login via the mylinksys web portal and tried to establish a link with the home server.
> Despite warning Linksys in November, no effective measures have been taken.
November? November?! OK, sure, there are a lot of holidays around then. But I would have expected public disclosure on something like this by end of January at the latest, unless the vendor is actively working / communicating about it.
Embarrassing. Not responding for months is actively malicious and should be punished as such, towards the entire company too, not just one throwaway developer to shift blame on to.
I wish Apple would get back into the WiFi router business again. I trust their privacy/security posture more than most other brands. Sadly they sell Linksys routers as the go to replacement for their previous products.
* source is available for the boot-loaders, all onboard devices.
* Firmware source available for all NPUs, 'offload engines', and other devices in Ethernet data path.
* mainline linux kernel supports a fully blob-free bootup (except Wifi/RF)
* a jumper enables trustzone access, with complete key management available to the enduser
* populated serial UART port header on the inside. (optional)
... Then I don't care who builds it. But I can't image Apple would build such a user-friendly device, that I could just easily install OpenWrt on 5 minutes out the box. Plus they'd probably fleece you.
Consumers deserve far better than what they're getting from network gear manufacturers—crap, and grossly overpriced crap. I wish Apple would get back into the game and at least offer some grossly overpriced non-crap.
I certainly don't need Apple. My primary home router is a virtual machine running on a Proxmox cluster, and my house is serviced by three sub-$30 Netgear wifi 5 access points running OpenWRT with 802.11r fast transition on a wired backhaul.
I can't recommend any of that to my non-techy friends or family. I can't recommend Ruckus, either, as it's about an order of magnitude too expensive. Ditto for the other "prosumer" vendors.
We've been here before. OE firmware needs to be assumed hostile and either replaced with open source aftermarket firmware, or the device sequestered in a subnet with no internet access.
Taking a step back and thinking about this, this vulnerability/bad decision was a result of systemic disorganization.
It's not just the developer who wrote said code, as well as the backend developers who receive these outputs, but further, the organization did not have any kind of test/check and balance/security mechanism in place.
It's terrible given the router, especially in a world of IoT, may be the device on your network that should be the most secure.
Finally, now that it's public how bad the organization at Linksys is, it is trivial for a criminal to pay an employee to purposefully include backdoors.
The consumer router scene needs a security focused disruption.
Very happy with my own router with my own software (just regular Arch Linux ARM). :) The thing that guards access to and from my internal networks really deserves to not be so turdish. I'd hate to pay $350 for such a betrayal.
Some things can apparently only be bought with your own time, when it comes to "but you had to spend cumulative 3 days setting up your custom thing, so it didn't really cost $100" equation that people will throw at you if you tell them that you have built something yourself from relatively cheap components.
Does anyone think that Netgear isn't doing the exact same thing with Orbi? (It's a given that Google is doing it with Eero.) Anyone taking odds on Ubiquiti?
My access point is still Ubiquiti, since I haven't found a solution to get WiFi access across my house that works directly with my homebuilt router that I'm sufficiently happy with. I'm sure Ubiquiti is doing the same stuff, behind the scenes.
I'm open to suggestions if anyone has them on the best way to avoid this.
I have Ubiquiti APs that run off a local UniFi VM. The APs don't have internet access and the UniFi box has only limited access to grab firmware updates. No need to trust when you can enforce limits on a separate router running a FOSS OS like opnsense.
In case you know -- is there a way to get into Ubiquiti without having a drop where I need the secondary AP? Today I use an Eero at the cable modem and a second Eero just mounted on the ceiling upstairs with . I'd like to move to something that isn't locked down the way Eero is (and which has a web UI), but I like the whole 'mesh with a dedicated backhaul on a separate channel' thing. My house is constructed in a way that would make running ethernet upstairs not convenient.
It's slow as shit though. I had 5x U6-Mesh after ditching the Google/Nest Wi-Fi garbage. Now, I have U6-Enterprise running on PoE on dedicated copper. There's no substitute for the bandwidth afforded by physical media.
Can you define slow as shit? Was it worse than the Google/Nest Wi-Fi things? I am aware ethernet drops would be faster, but I just don't need 1Gbps in my bedroom -- just for the connection to be reliable and of a reasonable speed. My benchmark to beat would be what my Eero mesh thing gets.
And who built the OpenWRT firmware? I bought a gl.inet that comes with OpenWRT but since it's made in China (like every other router) I looked at the OpenWRT blobs and for all I know they're built in China too.
Years ago, I caught some overseas contractors writing passwords to a log file. It wasn't malicious on their part, it was ignorance. (But, that kind of mistake is highly unprofessional and shows a lack of insight from someone who should know better.)
I suspect that someone has some debugging flags that do this, and accidentally shipped with the flags set the wrong way.
Don't most websites send passwords in plaintext for login and rely on the connection being HTTPS for having any security at all? I don't like that, but seems to be very common, so I'm not surprised about the plaintext part of this article. But that the passwords are at all sent to a server, that did surprise me, good to know.
The article and source material are light on details here. My guess is that it is using HTTPS, but the researchers saw the plaintext password in the request and assumed “password in plaintext always bad”.
If the app isn’t using HTTPS, then the story would be much bigger than just the password being plaintext.
This is pretty light on details, but my guess would be there’s some app that you can use to reconfigure all your Wi-Fi repeaters at once and if you use the app, it erroneously transmit the password which it needs in plain text
It’s not clear to me that the router sends the password rather than the app on your phone
Perhaps this is a typo on your part, in which case, please excuse my strong words here. But passwords should never be transmitted in clear text. Encryption is cheap these days.
So, we should use common (hacked) passwords for our wifi routers. So, my password of 'mickeymouse' is probably compromised. (Password chosen because my young children can spell it from the disney show.)
When you start digging into outbound dns traffic from consumer routers you can find a baffling amount of data sent. On the order of 50,000-100,000 dns requests a month to their company servers (sometimes hosted in china).
I never use phone app for router, and always block router calling back home through adguardhome, linksys do 2 every minute, some other brand do every 2 seconds.
Look, I'm a cowboy coder, through and through; but I still know better than to close the barn door after the horse bolted.
Information security and software processes aren't that closely related. You can be secure and yolo in production. You can run an extensive change management system and a) push mostly unnecessary cloud services, b) not use reasonable precautions to protect information in transit (and at rest) when sending to cloud services.
I picked up some of the Linksys Velop wifi 6 routers recently, because OpenWRT works on them, but I figured I'd try the factory firmware first... Woof, it's bad (but I only used the web interface... I wasn't willing to install the app), I lasted a day.
Forming a mesh involves the central node using the default password when accessing the other nodes. I guess that's effective, but felt pretty gross to me.
Why are you giving this company benefit of the doubt - just because it’s western? They haven’t even bothered to comment on the issue, they made no promise to fix it, for all you know they are selling your data to the highest bidder. And to anyone from China too.
If a Chinese company does it we are quick to label it stealing, but here we have the authority to regulate, and we go soft, oh no, it’s disorganisation, poor them, they’ve only been in this business for like 40 years or whatever.
Maybe we should assume malevolence, just like we do with China.
> Maybe we should assume malevolence, just like we do with China.
I'm fine with assuming ignorance for a brief window. But when the vendor doesn't reply after multiple repeated attempts, and no fix is in sight, it should quickly evolve from ignorance to willful malpractice at the very least.
Where did I give them the benefit of the doubt? I am furious at the network providers ongoing negligence/incompetence. Either they are in bed with the NSA or they just suck at their job. Regardless of the root cause, we all suffer.
The mention of Huawei was to point out the humor that the government has banned a company on the potential for subtle back doors. Something like the xz exploit. Yet the domestic vendors put out trivially broken crap on the regular. How many Cisco devices have shipped with hardcoded passwords in the past decade.
Making this about foreign vs domestic is bullshit. There is no such thing as a friendly vulnerability.
Just quit allowing corporations to bake up pointlessly unique proprietary firmware blobs for every single device, and we won't have this problem! It's redundant work anyway.
"There is no such thing as a friendly vulnerability." is going right up there with "You can't trust code that you did not totally create yourself." in my list of favorite infosec quotes. Thank you!
Only the hacker news crowd is arrogant enough to call them out for check if that password was hTTPS but not for actually giving a fuck about the lack of privacy. SMH hacker news
I would not expect my password to be sent to the server in the first place.